1
Standardizing, Modernizing, Securing Health
Information Technology (IT)
Session 9, February 12, 2019
Mr. T “Pat” Flanders, Military Health System (MHS) Chief Information Officer (CIO)
2
Mr. Thomas “Pat” Flanders, SES
Defense Health Agency (DHA) Chief Information Officer (CIO)
Deputy Assistant Director Information Operations (DAD IO)
Has no real or apparent conflicts of interest to report
Conflict of Interest
3
Enterprise overview
Role of DAD IO/J-6
Standardization
How we get there
Questions
Agenda
4
Describe the important changes and direction of MHS health IT
Discuss how DAD IO/J-6 works to ensure the right information
is accessible to the right customers at the right time and in the
right way
Describe how DAD IO/J-6 is supporting partnerships among
the Services, DHA, the Department of Veterans Affairs (VA)
and Industry to implement and sustain a protected health IT
environment
Learning Objectives
What is the MHS?
6
A Week in the Life of the MHS
6
What IT is Involved?
7
MHS Future State
8
9
Hyper Variance … We Own “One of Everything”
Health IT: Reform Objective & Mission
10
11
Our Target For Savings
History: Since 2014, DHA and the Services have undergone comprehensive IT Reform
analysis and are executing plans to achieve required savings
Four Areas Identified For Efficiencies:
Creation of Shared Services: Includes reengineering IT management, help desks,
and portfolio rationalization (FY15-19)
Medical Network Modernization: IT optimization including Infrastructure, Cyber,
Microsoft Windows Active Directory (FY17-21)
Electronic Health Record (EHR) Modernization: MHS GENESIS replacement of
legacy systems (FY18-22)
Reduce Manpower: Reduction in IT staffing footprint, elimination of duplicative IT
systems, and consolidation of infrastructure and support capabilities (FY19-23)
MHS IT Reform Manpower Decrement By Component ($M)*
Component
FY19 FY20 FY21 FY22 FY23
FYDP
Total
Services -16.6 -95.2 -148.5 -150.3 -107.2 -517.8
DHA -9.5 -89.8 -241.5 -299.6 -390.8 -1,031.1
Total Decrement
-26.0 -185.0 -390.0 -450.0 -498.0 -1,549.0
12
Health IT Implementation Plan
12
D2D: Desktop to Datacenter
Three lines of effort will reduce duplicative IT services and systems, reduce the
IT manpower footprint and standardize IT business processes and workflows
13
Centralized Services
13
D2D program provides centralized, standardized core infrastructure capabilities that
collectively enable healthcare operations including the deployment of the Department of
Defense’s (DoD’s) new electronic health record (EHR) MHS GENESIS
Orchestrating D2D Implementation
Centralized Services
LPNI = Low probability of being replaced,
no interface
LPI = Low probability of being replaced,
requires interface
15
16
Continued Standardization Of Products
Current tool portfolio is decentralized and contains duplicative and
varying tools with unknown statuses and critical tool information
Many were acquired for local necessity without a common enterprise
standard to gain efficiencies and provide centralized management
capabilities
FY19 21:
34/117 tools rationalized
Allows shutdown of 616 servers
17
Know Ourselves
1717
5+3 tMTFs
All Other MTFs
Centrally managed IT
Analysis
“All Humans” Visibility
“All Budgets” Visibility
Savings
Identify redundancy, non-
standard products
Personal accountability: Ask “who” is responsible … not “what office, committee, or governance group is
responsible”
Financial accountability: Personally manage money to the level of the check and the name of the person who
can justify it
Schedule accountability: Ask “by when”
o If something doesn’t get done on time, it usually means that it costs more money … ask “can you still afford it?” … “what
can you not do elsewhere to be able to afford it?” … do not become a burden to your clinicians, patients, or the enterprise
Customer focus:
o Nobody likes going to the DMV
o Must know customer priorities … and communicate that understanding … constantly
Engineering competency: “Own the technical baseline” … don’t outsource your brain … or you’ll pay too
much
Contracting: Plan for it to take longer than you think … have a plan A, B, and C … strive for no 4
th
QTR
awards
Never stop refining your understanding of what you do, why you do it, and how you do it
Cybersecurity Compliance: There are two kinds of lawyers … “Judgement vs. Counsel”
Developing “Cost Warriors”… Important Traits
Recognize and Combat Cyber Risk
85,000 records
Ransomware
attack
20
Defense-In-Depth
Department of Defense (DoD) Common network information
assurance (IA) controls
D2D DHA specific common IA controls
Site enclave Site specific IA controls
Med-COI architecture Zone specific IA controls
Individual systems and medical devices address/comply with
remaining IA controls
Enable Risk Balancing
22
Building Security In
National Institute of Standards and Technology (NIST) Standards
https://www.nist.gov
Security Technical Implementation Guide (STIG) standards
Provide technical guidance to “lock down” information systems/software
https://iase.disa.mil
DISA STIG Customer Support Desk: disa.stig.spt@mail.mil
Security Requirements Guides (SRG)
Provide high level guidance where product specific STIGs don’t exist
https://iase.disa.mil
Help us and yourselves by building to DoD required security
standards, including:
23
For additional questions, please contact us at
dha.ncr.health-it.mbx.director-workflow@mail.mil
Please complete the online session evaluation
Questions